Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: flep on January 03, 2016, 08:37:54 PM

Title: multiple ssl certs in multidomains serv case
Post by: flep on January 03, 2016, 08:37:54 PM: Hello,

At this time i understand that sme server can handle one ssl cert for all fonctions.

In the case of multi-domains how to configure multiple certs, one for each fqdn ?
Title: Re: multiple ssl certs in multidomains serv case
Post by: DanB35 on January 03, 2016, 09:10:12 PM: You know you can have multiple domains on a single cert, right?
Title: Re: multiple ssl certs in multidomains serv case
Post by: CharlieBrady on January 04, 2016, 03:31:00 AM: Quote from: flep on January 03, 2016, 08:37:54 PM
In the case of multi-domains how to configure multiple certs, one for each fqdn ?

SME server currently has no support for SNI configuration, and not all clients will support it anyway.

See:

https://en.wikipedia.org/wiki/Server_Name_Indication
Title: Re: multiple ssl certs in multidomains serv case
Post by: Stefano on January 04, 2016, 11:24:07 AM: please follow here

http://bugs.contribs.org/show_bug.cgi?id=8693
Title: Re: multiple ssl certs in multidomains serv case
Post by: Stefano on January 04, 2016, 11:36:19 AM: Quote from: CharlieBrady on January 04, 2016, 03:31:00 AM
SME server currently has no support for SNI configuration, and not all clients will support it anyway.

See:

https://en.wikipedia.org/wiki/Server_Name_Indication

according to the page you linked, we'd not worry too much about clients..
Title: Re: multiple ssl certs in multidomains serv case
Post by: flep on January 04, 2016, 12:58:55 PM: in the idea of a letsencrypt implementation i dont think that one cert that embed all fqdn in the machine is a good solution.

the proposal of unimilenium in http://bugs.contribs.org/show_bug.cgi?id=8693 will simplify a letsencrypt contrib.
Title: Re: multiple ssl certs in multidomains serv case
Post by: DanB35 on January 04, 2016, 01:19:32 PM: Quote from: flep on January 04, 2016, 12:58:55 PM
in the idea of a letsencrypt implementation i dont think that one cert that embed all fqdn in the machine is a good solution.
Why not? A letsencrypt cert can have up to 100 SANs, which should fit most use cases where SME would be deployed. I'm far from a TLS guru, but I don't see why this would be a bad thing.
Title: Re: multiple ssl certs in multidomains serv case
Post by: flep on January 04, 2016, 02:52:57 PM: at this time letencrypt only allow renewal every 7 days.

if you add or delete new fqdn in your server you have to wait 7 days to be able to update the 'all-in-one' cert.

On the over side people who have already buy a commercial cert or use a startssl one may want to keep their existing cert.
Title: Re: multiple ssl certs in multidomains serv case
Post by: DanB35 on January 04, 2016, 02:56:45 PM: Quote from: flep on January 04, 2016, 02:52:57 PM
at this time letencrypt only allow renewal every 7 days.
Letsencrypt issues up to five certificates for a given domain every seven days (with the current rate limits).

Edit: And just for the sake of testing... my automated renewal ran successfully last night at 22:48. It's now 9:52, and I just successfully renewed that same cert. That's a renewal less than 12 hours after the last one. So it is pretty clearly not the case that LE limits renewals to every 7 days, at least at this time. You can probably see them both on https://crt.sh/?q=familybrown.org (the one I just made isn't showing there yet, but I expect it will propagate shortly).

Where I do see value in SNI is if you're providing web hosting to others, and (1) you don't want to take your web server down (however briefly) every time you add a domain for one of your customers, and/or (2) your customers want their own TLS certs (perhaps they want an EV cert). That would, I think, call for SNI, but I'm not sure how common of a use case that is for an SME server.